Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cert: use key_identifier_method of issuer for AKI #262

Merged
merged 3 commits into from
Apr 5, 2024
Merged

cert: use key_identifier_method of issuer for AKI #262

merged 3 commits into from
Apr 5, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Apr 3, 2024
edited
Loading

Previously when issuing a certificate with an authority key identifier (AKI) extension that's signed by an issuer certificate we had a small bug where we used the to-be-issued certificate's param's key_identifier_method to derive the key identifier of the issuing certificate to use for the issued certificate's AKI. Instead we should be using the issuer certificate's param's key_identifier_method, taking care to mind the pre-specified variant.

We missed this with our unit testing of the pre-specified key identifier method because we only issued a self-signed test certificate, never issuing a certificate signed by the CA that has the customization. We principally exercised that the subject key identifier (SKI) of the self-signed cert matched the pre-specified value, but never tested that an issued cert's AKI matches the pre-specified SKI of the issuer.

This branch fixes the bug and extends test coverage to prevent further regression.

Resolves #261

@cpu cpu self-assigned this Apr 3, 2024
@cpu cpu mentioned this pull request Apr 3, 2024
Closed
@cpu cpu force-pushed the cpu-261-fix-prespec-aki branch from 3b77545 to 40c3100 Compare April 3, 2024 22:05
@cpu cpu changed the title cert: use pre-specified SKI of issuer for AKI cert: use key_identifier_method of issuer for AKI Apr 3, 2024
@cpu
cert: use key_identifier_method of issuer for AKI
ed5446a 
Previously when issuing a certificate with an authority key identifier
(AKI) extension that's signed by an issuer certificate we had a small
bug where we used the to-be-issued certificate's param's `key_identifier_method`
to derive the key identifier of the issuing certificate to use for the
issued certificate's AKI.

Instead we should be using the issuer certificate's param's
`key_identifier_method`, taking care to mind the pre-specified variant.

We missed this with our unit testing of the pre-specified key identifier
method because we only issued a self-signed test certificate, never
issuing a certificate signed by the CA that has the customization.

This commit fixes the bug and extends test coverage to prevent
further regression.
@cpu cpu force-pushed the cpu-261-fix-prespec-aki branch from 40c3100 to ed5446a Compare April 3, 2024 22:07
@cpu cpu requested review from djc and est31 April 3, 2024 22:11
djc
djc approved these changes Apr 3, 2024
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! Maybe throw in a proactive version bump?

cpu added 2 commits April 3, 2024 18:19
@cpu
Copy link
Member Author

cpu commented Apr 3, 2024
edited
Loading

Nice work! Maybe throw in a proactive version bump?

Good call. Added one and proactively updated the changelog.

I also double checked this was a regression (though I didn't bother digging up which commit was the breaker. (Edit: I think it was me in 30489d7)). Backporting the unit test from this branch to 0.12.1 shows it passing, just like described in 261.

est31
est31 approved these changes Apr 5, 2024
View reviewed changes
Copy link
Member

@est31 est31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick fix ❤️

@djc djc added this pull request to the merge queue Apr 5, 2024
Merged via the queue into rustls:main with commit 6432225 Apr 5, 2024
15 checks passed
@djc
Copy link
Member

djc commented Apr 5, 2024

  • Published rcgen v0.13.1 at registry crates-io
  • [new tag] v0.13.1 -> v0.13.1

@cpu cpu deleted the cpu-261-fix-prespec-aki branch April 5, 2024 13:04
@cpu
Copy link
Member Author

cpu commented Apr 5, 2024

Thanks for publishing the fix 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@est31 est31 est31 approved these changes

@djc djc djc approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

v0.13: Generated cert signed by external CA cert returns cert that can't be validated against CA
3 participants
@cpu @djc @est31